Technical Discovery: FIPS compliance for custom CA certs
Why are we doing this work
FIPS compliance is a requirement for the US Govt to utilize a piece of software. It is required for any FISMA or FedRAMP system, and cannot be waived.
In order for GitLab to be directly usable within the US Govt, we need to be compliant.
Relevant links
- FIPS 140-2 Compliant GitLab (&6452 - closed)
- RHEL docs on using shared system certificates
- Example Container Scanning UBI support including custom cert work and
cert_spec.rb
The Unknown
How do we comply with FIPS and support custom CA certs? Do we need to write them to a FIPS compliant path? Do we need to disable the feature altogether?
Edited by Lucas Charles